<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    
    <title>OpenVPN Installation | jouyouyun&#39;s blog</title>
    <meta name="viewport" content="width=device-width,minimum-scale=1">
    <meta name="description" content="安装所需软件
Arch: yaourt -S openvpn easy-rsa
生成证书
Server 端

Copy template file

sudo mkdir -p /etc/openvpn
sudo cp -R /etc/easy-rsa /etc/openvpn

Config vars

取消并修改以下项:">
    <meta name="generator" content="Hugo 0.105.0">
    
    
    
    
      <meta name="robots" content="noindex, nofollow">
    

    
<link rel="stylesheet" href="/ananke/css/main.min.css" >



    
    
    
      

    

    
    
    <meta property="og:title" content="OpenVPN Installation" />
<meta property="og:description" content="安装所需软件
Arch: yaourt -S openvpn easy-rsa
生成证书
Server 端

Copy template file

sudo mkdir -p /etc/openvpn
sudo cp -R /etc/easy-rsa /etc/openvpn

Config vars

取消并修改以下项:" />
<meta property="og:type" content="article" />
<meta property="og:url" content="https://jouyouyun.github.io/post/openvpn-installation/" /><meta property="article:section" content="post" />
<meta property="article:published_time" content="2016-12-27T21:38:21+08:00" />
<meta property="article:modified_time" content="2019-02-12T14:35:40+08:00" />

<meta itemprop="name" content="OpenVPN Installation">
<meta itemprop="description" content="安装所需软件
Arch: yaourt -S openvpn easy-rsa
生成证书
Server 端

Copy template file

sudo mkdir -p /etc/openvpn
sudo cp -R /etc/easy-rsa /etc/openvpn

Config vars

取消并修改以下项:"><meta itemprop="datePublished" content="2016-12-27T21:38:21+08:00" />
<meta itemprop="dateModified" content="2019-02-12T14:35:40+08:00" />
<meta itemprop="wordCount" content="414">
<meta itemprop="keywords" content="openvpn," /><meta name="twitter:card" content="summary"/>
<meta name="twitter:title" content="OpenVPN Installation"/>
<meta name="twitter:description" content="安装所需软件
Arch: yaourt -S openvpn easy-rsa
生成证书
Server 端

Copy template file

sudo mkdir -p /etc/openvpn
sudo cp -R /etc/easy-rsa /etc/openvpn

Config vars

取消并修改以下项:"/>

	
  </head>

  <body class="ma0 avenir bg-near-white">

    
   
  

  <header>
    <div class="bg-black">
      <nav class="pv3 ph3 ph4-ns" role="navigation">
  <div class="flex-l justify-between items-center center">
    <a href="/" class="f3 fw2 hover-white no-underline white-90 dib">
      
        jouyouyun&#39;s blog
      
    </a>
    <div class="flex-l items-center">
      

      
        <ul class="pl0 mr3">
          
          <li class="list f5 f4-ns fw4 dib pr3">
            <a class="hover-white no-underline white-90" href="/post/" title="Archives 页">
              Archives
            </a>
          </li>
          
          <li class="list f5 f4-ns fw4 dib pr3">
            <a class="hover-white no-underline white-90" href="/tags/" title="Tags 页">
              Tags
            </a>
          </li>
          
          <li class="list f5 f4-ns fw4 dib pr3">
            <a class="hover-white no-underline white-90" href="/categories/" title="Categories 页">
              Categories
            </a>
          </li>
          
        </ul>
      
      
<div class="ananke-socials">
  
    <a href="https://github.com/jouyouyun" target="_blank" class="github ananke-social-link link-transition stackoverflow link dib z-999 pt3 pt0-l mr1" title="GitHub link" rel="noopener" aria-label="follow on GitHub——Opens in a new window">
      
        <span class="icon"><svg style="enable-background:new 0 0 512 512;" version="1.1" viewBox="0 0 512 512"  xml:space="preserve" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" >
  <path d="M256,32C132.3,32,32,134.8,32,261.7c0,101.5,64.2,187.5,153.2,217.9c11.2,2.1,15.3-5,15.3-11.1   c0-5.5-0.2-19.9-0.3-39.1c-62.3,13.9-75.5-30.8-75.5-30.8c-10.2-26.5-24.9-33.6-24.9-33.6c-20.3-14.3,1.5-14,1.5-14   c22.5,1.6,34.3,23.7,34.3,23.7c20,35.1,52.4,25,65.2,19.1c2-14.8,7.8-25,14.2-30.7c-49.7-5.8-102-25.5-102-113.5   c0-25.1,8.7-45.6,23-61.6c-2.3-5.8-10-29.2,2.2-60.8c0,0,18.8-6.2,61.6,23.5c17.9-5.1,37-7.6,56.1-7.7c19,0.1,38.2,2.6,56.1,7.7   c42.8-29.7,61.5-23.5,61.5-23.5c12.2,31.6,4.5,55,2.2,60.8c14.3,16.1,23,36.6,23,61.6c0,88.2-52.4,107.6-102.3,113.3   c8,7.1,15.2,21.1,15.2,42.5c0,30.7-0.3,55.5-0.3,63c0,6.1,4,13.3,15.4,11C415.9,449.1,480,363.1,480,261.7   C480,134.8,379.7,32,256,32z"/>
</svg>
</span>
      
<span class="new-window"><svg  height="8px"  style="enable-background:new 0 0 1000 1000;" version="1.1" viewBox="0 0 1000 1000"  xml:space="preserve" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" >
<path d="M598 128h298v298h-86v-152l-418 418-60-60 418-418h-152v-86zM810 810v-298h86v298c0 46-40 86-86 86h-596c-48 0-86-40-86-86v-596c0-46 38-86 86-86h298v86h-298v596h596z" style="fill-rule:evenodd;clip-rule:evenodd;"/>
</svg>
</span></a>
  
</div>

    </div>
  </div>
</nav>

    </div>
  </header>



    <main class="pb7" role="main">
      
  
  <article class="flex-l flex-wrap justify-between mw8 center ph3">
    <header class="mt4 w-100">
      <aside class="instapaper_ignoref b helvetica tracked">
          
        POSTS
      </aside>
      










  <div id="sharing" class="mt3 ananke-socials">
    
  </div>


      <h1 class="f1 athelas mt3 mb1">OpenVPN Installation</h1>
      
      <p class="tracked">
         <strong>jouyouyun</strong>
      </p>
      
      
      
      <time class="f6 mv4 dib tracked" datetime="2016-12-27T21:38:21+08:00">十二月 27, 2016</time>
      

      
      
    </header>
    <div class="nested-copy-line-height lh-copy serif f4 nested-links mid-gray pr4-l w-two-thirds-l"><h2 id="安装所需软件">安装所需软件</h2>
<p>Arch: <code>yaourt -S openvpn easy-rsa</code></p>
<h2 id="生成证书">生成证书</h2>
<h3 id="server-端">Server 端</h3>
<ul>
<li>Copy template file</li>
</ul>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>sudo mkdir -p /etc/openvpn
</span></span><span style="display:flex;"><span>sudo cp -R /etc/easy-rsa /etc/openvpn
</span></span></code></pre></div><ul>
<li>Config vars</li>
</ul>
<p>取消并修改以下项:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>set_var EASYRSA_REQ_COUNTRY     <span style="color:#e6db74">&#34;CN&#34;</span>
</span></span><span style="display:flex;"><span>set_var EASYRSA_REQ_PROVINCE    <span style="color:#e6db74">&#34;Hongkong&#34;</span>
</span></span><span style="display:flex;"><span>set_var EASYRSA_REQ_CITY        <span style="color:#e6db74">&#34;Hongkong&#34;</span>
</span></span><span style="display:flex;"><span>set_var EASYRSA_REQ_ORG         <span style="color:#e6db74">&#34;jouyouyun.info&#34;</span>
</span></span><span style="display:flex;"><span>set_var EASYRSA_REQ_EMAIL       <span style="color:#e6db74">&#34;wen@jouyouyun.iofn&#34;</span>
</span></span><span style="display:flex;"><span>set_var EASYRSA_REQ_OU          <span style="color:#e6db74">&#34;Jouyouyun OpenVPN&#34;</span>
</span></span></code></pre></div><ul>
<li>创建根证书</li>
</ul>
<p><code>ca</code> 证书需要输入密码，这个密码是给服务器端和客户端签名时用的</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>easyrsa init-pki
</span></span><span style="display:flex;"><span>easyrsa build-ca
</span></span></code></pre></div><ul>
<li>创建并签名服务器端证书</li>
</ul>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>easyrsa gen-req &lt;server name&gt; nopass
</span></span><span style="display:flex;"><span>easyrsa sign server &lt;server name&gt;
</span></span></code></pre></div><ul>
<li>创建Diffie-Hellman证书</li>
</ul>
<p>该证书主要作用是确保共享KEY安全穿越不安全网络</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>easyrsa gen-dh
</span></span></code></pre></div><ul>
<li>创建并签名客户端证书</li>
</ul>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>easyrsa gen-req &lt;client name&gt; nopass
</span></span><span style="display:flex;"><span>easyrsa sign client &lt;client name&gt;
</span></span></code></pre></div><h2 id="配置服务器端">配置服务器端</h2>
<p>复制一份模板文件(<code>/usr/share/openvpn/examples/server.conf</code>)到 <code>/etc/openvpn</code> 目录, 然后开始修改相关项.</p>
<p>然后将证书文件放在 <code>/etc/openvpn</code> 目录下, 需要的文件包括:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>easy-rsa/pki/ca.crt
</span></span><span style="display:flex;"><span>easy-rsa/pki/dh.pem
</span></span><span style="display:flex;"><span>easy-rsa/pki/issued/&lt;server name&gt;.crt
</span></span><span style="display:flex;"><span>easy-rsa/pki/private/&lt;server name&gt;.key
</span></span></code></pre></div><h2 id="配置客户端">配置客户端</h2>
<p>复制一份模板文件 <code>/usr/share/openvpn/examples/client.conf</code>, 然后开始修改相关项.</p>
<p>将以下证书文件与配置文件放在一起, 需要的文件包括:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>easy-rsa/pki/ca.crt
</span></span><span style="display:flex;"><span>easy-rsa/pki/issued/&lt;client name&gt;.crt
</span></span><span style="display:flex;"><span>easy-rsa/pki/private/&lt;client name&gt;.key
</span></span></code></pre></div><h2 id="开启路由转发">开启路由转发</h2>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>sed -i <span style="color:#e6db74">&#39;/net.ipv4.ip_forward/s/0/1/&#39;</span> /etc/sysctl.conf
</span></span><span style="display:flex;"><span>sysctl -p
</span></span><span style="display:flex;"><span><span style="color:#75715e"># 允许vpn客户端所在网段流量转发到其它网卡</span>
</span></span><span style="display:flex;"><span>iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
</span></span><span style="display:flex;"><span><span style="color:#75715e"># 将vpn客户端的流量转到eth0，允许vpn客户端上网，即NAT</span>
</span></span><span style="display:flex;"><span>iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j  MASQUERADE
</span></span></code></pre></div><h2 id="示例">示例</h2>
<p>认证可以通过证书认证也可以使用用户名密码认证，推荐使用用户名密码认证, 这样方便添加用户.</p>
<h3 id="证书认证">证书认证</h3>
<ul>
<li>服务端</li>
</ul>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>port <span style="color:#ae81ff">1194</span>
</span></span><span style="display:flex;"><span>proto tcp
</span></span><span style="display:flex;"><span>dev tun
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>ca /etc/openvpn/ca.crt
</span></span><span style="display:flex;"><span>cert /etc/openvpn/server.crt
</span></span><span style="display:flex;"><span>key /etc/openvpn/server.key
</span></span><span style="display:flex;"><span>dh /etc/openvpn/dh.pem
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>server 10.8.0.0 255.255.255.0
</span></span><span style="display:flex;"><span>ifconfig-pool-persist /etc/openvpn/ipp.txt
</span></span><span style="display:flex;"><span>push <span style="color:#e6db74">&#34;redirect-gateway def1 bypass-dhcp&#34;</span>
</span></span><span style="display:flex;"><span>push <span style="color:#e6db74">&#34;dhcp-option DNS 8.8.8.8&#34;</span>
</span></span><span style="display:flex;"><span>push <span style="color:#e6db74">&#34;dhcp-option DNS 8.8.4.4&#34;</span>
</span></span><span style="display:flex;"><span>client-to-client
</span></span><span style="display:flex;"><span>keepalive <span style="color:#ae81ff">10</span> <span style="color:#ae81ff">120</span>
</span></span><span style="display:flex;"><span>cipher AES-256-CBC
</span></span><span style="display:flex;"><span>;comp-lzo <span style="color:#75715e"># 禁用压缩，如果开启客户端配置中也需要开启</span>
</span></span><span style="display:flex;"><span>max-clients <span style="color:#ae81ff">100</span>
</span></span><span style="display:flex;"><span>persist-key
</span></span><span style="display:flex;"><span>persist-tun
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>status /var/log/openvpn/openvpn-status.log
</span></span><span style="display:flex;"><span>log         /var/log/openvpn/openvpn.log
</span></span><span style="display:flex;"><span>log-append  /var/log/openvpn/openvpn.log
</span></span><span style="display:flex;"><span>verb <span style="color:#ae81ff">3</span>
</span></span></code></pre></div><ul>
<li>客户端</li>
</ul>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>client
</span></span><span style="display:flex;"><span>dev tun
</span></span><span style="display:flex;"><span>proto tcp
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>resolv-retry infinite
</span></span><span style="display:flex;"><span>remote &lt;your vps ip&gt; <span style="color:#ae81ff">1194</span>
</span></span><span style="display:flex;"><span>nobind
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>persist-key
</span></span><span style="display:flex;"><span>persist-tun
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>ca ca.crt
</span></span><span style="display:flex;"><span>cert client.crt
</span></span><span style="display:flex;"><span>key client.key
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>cipher AES-256-CBC
</span></span><span style="display:flex;"><span><span style="color:#75715e">#comp-lzo</span>
</span></span><span style="display:flex;"><span>verb <span style="color:#ae81ff">3</span>
</span></span></code></pre></div><h3 id="用户名密码认证">用户名密码认证</h3>
<p>需要加入 <code>auth-user-pass-verify</code> ，开启用户密码脚本, 脚本示例, 读取 <code>/etc/openvpn/passwd</code> 文件:</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#75715e">#!/bin/sh
</span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#75715e">###########################################################</span>
</span></span><span style="display:flex;"><span><span style="color:#75715e"># checkpsw.sh (C) 2004 Mathias Sundman &lt;mathias@openvpn.se&gt;</span>
</span></span><span style="display:flex;"><span><span style="color:#75715e">#</span>
</span></span><span style="display:flex;"><span><span style="color:#75715e"># This script will authenticate OpenVPN users against</span>
</span></span><span style="display:flex;"><span><span style="color:#75715e"># a plain text file. The passfile should simply contain</span>
</span></span><span style="display:flex;"><span><span style="color:#75715e"># one row per user with the username first followed by</span>
</span></span><span style="display:flex;"><span><span style="color:#75715e"># one or more space(s) or tab(s) and then the password.</span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>PASSFILE<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;/etc/openvpn/passwd&#34;</span>
</span></span><span style="display:flex;"><span>LOG_FILE<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;/var/log/openvpn/openvpn-password.log&#34;</span>
</span></span><span style="display:flex;"><span>TIME_STAMP<span style="color:#f92672">=</span><span style="color:#e6db74">`</span>date <span style="color:#e6db74">&#34;+%Y-%m-%d %T&#34;</span><span style="color:#e6db74">`</span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#75715e">###########################################################</span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> <span style="color:#f92672">[</span> ! -r <span style="color:#e6db74">&#34;</span><span style="color:#e6db74">${</span>PASSFILE<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span> <span style="color:#f92672">]</span>; <span style="color:#66d9ef">then</span>
</span></span><span style="display:flex;"><span>  echo <span style="color:#e6db74">&#34;</span><span style="color:#e6db74">${</span>TIME_STAMP<span style="color:#e6db74">}</span><span style="color:#e6db74">: Could not open password file \&#34;</span><span style="color:#e6db74">${</span>PASSFILE<span style="color:#e6db74">}</span><span style="color:#e6db74">\&#34; for reading.&#34;</span> &gt;&gt; <span style="color:#e6db74">${</span>LOG_FILE<span style="color:#e6db74">}</span>
</span></span><span style="display:flex;"><span>  exit <span style="color:#ae81ff">1</span>
</span></span><span style="display:flex;"><span><span style="color:#66d9ef">fi</span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>CORRECT_PASSWORD<span style="color:#f92672">=</span><span style="color:#e6db74">`</span>awk <span style="color:#e6db74">&#39;!/^;/&amp;&amp;!/^#/&amp;&amp;$1==&#34;&#39;</span><span style="color:#e6db74">${</span>username<span style="color:#e6db74">}</span><span style="color:#e6db74">&#39;&#34;{print $2;exit}&#39;</span> <span style="color:#e6db74">${</span>PASSFILE<span style="color:#e6db74">}</span><span style="color:#e6db74">`</span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> <span style="color:#f92672">[</span> <span style="color:#e6db74">&#34;</span><span style="color:#e6db74">${</span>CORRECT_PASSWORD<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;&#34;</span> <span style="color:#f92672">]</span>; <span style="color:#66d9ef">then</span>
</span></span><span style="display:flex;"><span>  echo <span style="color:#e6db74">&#34;</span><span style="color:#e6db74">${</span>TIME_STAMP<span style="color:#e6db74">}</span><span style="color:#e6db74">: User does not exist: username=\&#34;</span><span style="color:#e6db74">${</span>username<span style="color:#e6db74">}</span><span style="color:#e6db74">\&#34;, password=\&#34;</span><span style="color:#e6db74">${</span>password<span style="color:#e6db74">}</span><span style="color:#e6db74">\&#34;.&#34;</span> &gt;&gt; <span style="color:#e6db74">${</span>LOG_FILE<span style="color:#e6db74">}</span>
</span></span><span style="display:flex;"><span>  exit <span style="color:#ae81ff">1</span>
</span></span><span style="display:flex;"><span><span style="color:#66d9ef">fi</span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> <span style="color:#f92672">[</span> <span style="color:#e6db74">&#34;</span><span style="color:#e6db74">${</span>password<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;</span><span style="color:#e6db74">${</span>CORRECT_PASSWORD<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span> <span style="color:#f92672">]</span>; <span style="color:#66d9ef">then</span>
</span></span><span style="display:flex;"><span>  echo <span style="color:#e6db74">&#34;</span><span style="color:#e6db74">${</span>TIME_STAMP<span style="color:#e6db74">}</span><span style="color:#e6db74">: Successful authentication: username=\&#34;</span><span style="color:#e6db74">${</span>username<span style="color:#e6db74">}</span><span style="color:#e6db74">\&#34;.&#34;</span> &gt;&gt; <span style="color:#e6db74">${</span>LOG_FILE<span style="color:#e6db74">}</span>
</span></span><span style="display:flex;"><span>  exit <span style="color:#ae81ff">0</span>
</span></span><span style="display:flex;"><span><span style="color:#66d9ef">fi</span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>echo <span style="color:#e6db74">&#34;</span><span style="color:#e6db74">${</span>TIME_STAMP<span style="color:#e6db74">}</span><span style="color:#e6db74">: Incorrect password: username=\&#34;</span><span style="color:#e6db74">${</span>username<span style="color:#e6db74">}</span><span style="color:#e6db74">\&#34;, password=\&#34;</span><span style="color:#e6db74">${</span>password<span style="color:#e6db74">}</span><span style="color:#e6db74">\&#34;.&#34;</span> &gt;&gt; <span style="color:#e6db74">${</span>LOG_FILE<span style="color:#e6db74">}</span>
</span></span><span style="display:flex;"><span>exit <span style="color:#ae81ff">1</span>
</span></span></code></pre></div><ul>
<li>服务端</li>
</ul>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>port <span style="color:#ae81ff">1194</span>
</span></span><span style="display:flex;"><span>proto tcp
</span></span><span style="display:flex;"><span>dev tap
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#75715e">#不要求客户端有证书</span>
</span></span><span style="display:flex;"><span>client-cert-not-required
</span></span><span style="display:flex;"><span>username-as-common-name
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>script-security <span style="color:#ae81ff">3</span> system
</span></span><span style="display:flex;"><span><span style="color:#75715e">#使用脚本验证密码</span>
</span></span><span style="display:flex;"><span>auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>ca   /etc/openvpn/keys/ca.crt
</span></span><span style="display:flex;"><span>cert /etc/openvpn/keys/server.crt
</span></span><span style="display:flex;"><span>key  /etc/openvpn/keys/server.key
</span></span><span style="display:flex;"><span>dh   /etc/openvpn/keys/dh1024.pem
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>server 10.8.6.0 255.255.255.0
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#75715e">#保存已有的用户和ip的对应关系</span>
</span></span><span style="display:flex;"><span>ifconfig-pool-persist ipp.txt
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#75715e">#允许客户端之间互访</span>
</span></span><span style="display:flex;"><span>client-to-client
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>keepalive <span style="color:#ae81ff">10</span> <span style="color:#ae81ff">120</span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>user nobody
</span></span><span style="display:flex;"><span>group nogroup
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>persist-key
</span></span><span style="display:flex;"><span>persist-tun
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#75715e">#保存日志</span>
</span></span><span style="display:flex;"><span>status openvpn-status.log
</span></span><span style="display:flex;"><span><span style="color:#75715e">#日志冗余级别</span>
</span></span><span style="display:flex;"><span>verb <span style="color:#ae81ff">3</span>
</span></span></code></pre></div><ul>
<li>客户端</li>
</ul>
<p>客户端配置文件中去掉于证书相关的配置，加入 <code>auth-user-pass</code> 打开用户名密码验证.
可以加入 <code>auth-nocache</code> 可以在断线后防止内存中保存用户名和密码来提高安全性。</p>
<h2 id="参考">参考</h2>
<ul>
<li><a href="http://blog.chinaunix.net/uid-24250828-id-3536671.html">Linux 下OpenVPN 密钥认证 和 用户名/密码认证 笔记</a></li>
</ul><ul class="pa0">
  
   <li class="list di">
     <a href="/tags/openvpn" class="link f5 grow no-underline br-pill ba ph3 pv2 mb2 dib black sans-serif">openvpn</a>
   </li>
  
</ul>
<div class="mt6 instapaper_ignoref">
      
      
      </div>
    </div>

    <aside class="w-30-l mt6-l">




</aside>

  </article>

    </main>
    <footer class="bg-black bottom-0 w-100 pa3" role="contentinfo">
  <div class="flex justify-between">
  <a class="f4 fw4 hover-white no-underline white-70 dn dib-ns pv2 ph3" href="https://jouyouyun.github.io" >
    &copy;  jouyouyun 2023 
  </a>
    <div>
<div class="ananke-socials">
  
    <a href="https://github.com/jouyouyun" target="_blank" class="github ananke-social-link link-transition stackoverflow link dib z-999 pt3 pt0-l mr1" title="GitHub link" rel="noopener" aria-label="follow on GitHub——Opens in a new window">
      
        <span class="icon"><svg style="enable-background:new 0 0 512 512;" version="1.1" viewBox="0 0 512 512"  xml:space="preserve" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" >
  <path d="M256,32C132.3,32,32,134.8,32,261.7c0,101.5,64.2,187.5,153.2,217.9c11.2,2.1,15.3-5,15.3-11.1   c0-5.5-0.2-19.9-0.3-39.1c-62.3,13.9-75.5-30.8-75.5-30.8c-10.2-26.5-24.9-33.6-24.9-33.6c-20.3-14.3,1.5-14,1.5-14   c22.5,1.6,34.3,23.7,34.3,23.7c20,35.1,52.4,25,65.2,19.1c2-14.8,7.8-25,14.2-30.7c-49.7-5.8-102-25.5-102-113.5   c0-25.1,8.7-45.6,23-61.6c-2.3-5.8-10-29.2,2.2-60.8c0,0,18.8-6.2,61.6,23.5c17.9-5.1,37-7.6,56.1-7.7c19,0.1,38.2,2.6,56.1,7.7   c42.8-29.7,61.5-23.5,61.5-23.5c12.2,31.6,4.5,55,2.2,60.8c14.3,16.1,23,36.6,23,61.6c0,88.2-52.4,107.6-102.3,113.3   c8,7.1,15.2,21.1,15.2,42.5c0,30.7-0.3,55.5-0.3,63c0,6.1,4,13.3,15.4,11C415.9,449.1,480,363.1,480,261.7   C480,134.8,379.7,32,256,32z"/>
</svg>
</span>
      
<span class="new-window"><svg  height="8px"  style="enable-background:new 0 0 1000 1000;" version="1.1" viewBox="0 0 1000 1000"  xml:space="preserve" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" >
<path d="M598 128h298v298h-86v-152l-418 418-60-60 418-418h-152v-86zM810 810v-298h86v298c0 46-40 86-86 86h-596c-48 0-86-40-86-86v-596c0-46 38-86 86-86h298v86h-298v596h596z" style="fill-rule:evenodd;clip-rule:evenodd;"/>
</svg>
</span></a>
  
</div>
</div>
  </div>
</footer>

  </body>
</html>
